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1 



ELLIPTIC CURVE CRYPTOSYSTEMS FOR LOW MEMORY DEVICES 



2 



BACKGROUND OF THE INVENTION 



3 



The present invention relates to cryptosystems, and, more 



4 particularly, is directed to cryptosystems wherein a handheld device for each user of 

5 the cryptosystem selects its own elliptic curve, rather than using an elliptic curve 

6 predetermined for all users of the cryptosystem. 



8 central facility selects a finite field, an elliptic curve, a generator of an appropriate 

9 subgroup of the group of points of the elliptic curve over the finite field, and 

10 determines the order of that generator. The central facility distributes these data 

1 1 among the participants in the cryptographic system. Each participant then selects a 

12 secret key, computes a corresponding public key, and may optionally obtain 

13 certification for its public key. The objective of the certificate is to make one party's 

14 public key available to other parties in such a way that those other parties can 

1 5 independently verify that the public key is valid and authentic. An advantage of the 

16 conventional system is that, while a lot of computation is required to obtain both the 

17 cardinality of the group of points of an elliptic curve over a finite field, and to find 

18 an elliptic curve for which this cardinality satisfies the security requirements, this 

19 computation need not be performed by participants - - which would be very 

20 burdensome - - as the computation is performed once by the central facility. 

21 Conventional elliptic curve cryptosystems are used in the same 

22 applications as other public key cryptosystems, such as authentication, certification, 

23 encryption/decryption, signature generation and verification. 



7 



In a conventional elliptic curve cryptosystem, as shown in Fig. 1, a 
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1 As shown in Fig. 2, to use the conventional elliptic curve 

2 cryptosystem, two parties wishing to communicate exchange their cryptographic 

3 data, and then proceed with their communication, such as a signature scheme or a 

4 data encryption/decryption scheme. 

5 A serious problem with the above-described conventional elliptic 

6 curve cryptosystem is that all participants are vulnerable to an attack on the 

7 centrally selected elliptic curve and finite field. That is, the system is vulnerable to a 

8 concentrated attack on the Discrete Logarithm problem in the group defined by the 

9 centrally selected elliptic curve and finite field. Thus, there is a need to reduce the 

10 vulnerability to attack of elliptic curve cryptosystems, in particular, cryptosystems 

1 1 having the cryptographic functionality implemented in a small, inexpensive, low 

12 power device such as a so-called "smart card". 

1 3 SUMMARY OF THE INVENTION 

14 In accordance with an aspect of the invention, a method of selecting an 

1 5 elliptic curve for a cryptosystem is provided. A prime number p defining a field F p 

16 is selected. A set of candidate elliptic curves E\ over the field F p is selected. Then a 

17 set of modular polynomials x ¥ i modulo p for a list of candidate auxiliary primes t is 

1 8 found by a calculation in characteristic p using a stored polynomial . The roots 

19 modulo p of the modular polynomials x ¥ i are found. Kernel polynomials h(X) based 

20 on the roots of the modular polynomials x ¥ e are generated. An eigenvalue e for one 

21 of the kernel polynomials h(X) is found. A value t based on the eigenvalue e and the 

22 prime number p is obtained. The number of points of one of the candidate elliptic 

23 curves E\ over F p is compared with the value t to make a determination whether the 

24 candidate elliptic curve is sufficiently secure. When the determination is that the 
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1 candidate elliptic curve is sufficiently secure, the candidate elliptic curve is selected 

2 for the cryptosystem. 

3 The step of finding the set of modular polynomials x ¥ i is performed by 

4 without table look-up of the modular polynomials^ . 

5 When the determination is that the candidate elliptic curve is insufficiently 

6 secure, the step of obtaining the nubmer of points is repeated for another of the 

7 candidate elliptic curves E\. 

8 The prime number p has about 200 bits, and the number of points of the 

9 selected elliptic curve is a product of a second prime number and a cofactor, the 

1 0 cofactor having up to 5 bits. 

11 In accordance with another aspect of the invention, a method of encrypting a 

12 message M is provided, wherein an elliptic curve E is selected according to the 

13 method described above, and then the following are selected: a point P of prime 

14 order q on the selected elliptic curve E over the field of F p , a secret positive integer 

1 5 m and a random positive integer k, m < q, k<q. The points k ® P and k ® (m ® P) 

16 = (x, y) on the curve E are obtained, and the point (k ® P, (x * M) mod p) is 

1 7 obtained as the encrypted message. 

18 In accordance with yet another aspect of the invention, a method of 

1 9 obtaining a digital signature for a message M is provided, wherein an elliptic curve 

20 E is selected according to the method described above, and then the following are 

21 selected: a point P of prime order q on the selected elliptic curve E over the field of 

22 F p , a secret positive integer m and a random positive integer k, m < q, k<q. A 

23 cryptographically secure hash value d between 1 and q - 1 of the message M is 

24 obtained, and k ® P = (x, y) is calculated. The pair {{x + d) mod q,(k-m (x + d)) 
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1 mod q) is obtained as the digital signature. 

2 In accordance with a further aspect of the invention, a portable device for 

3 encoding information using an elliptic curve cryptosystem is provided, having 

4 means for selecting an elliptic curve by finding the roots of modular polynomials x ¥ e 

5 modulo p for a list of candidate auxiliary primes £ and a prime number p by a 

6 calculation in characteristic p using a stored polynomial , and means for encoding 

7 the information using the selected elliptic curve. 

8 In accordance with a still further aspect of the invention, a portable device 

9 for digitally signing information using an elliptic curve cryptosystem is provided, 

1 0 having means for selecting an elliptic curve by finding the roots of modular 

1 1 polynomials x ¥ £ modulo p for a list of candidate auxiliary primes £ and a prime 

12 number p by a calculation in characteristic p using a stored polynomial , and 

13 means for digitally signing the information using the selected elliptic curve. 

14 It is not intended that the invention be summarized here in its entirety. 

1 5 Rather, further features, aspects and advantages of the invention are set forth in or 

1 6 are apparent from the following description and drawings. 

1 7 BRIEF DESCRIPTION OF THE DRAWINGS 

18 Fig. 1 is a flowchart showing a set-up phase of a common curve elliptic 

19 curve cryptosystem; 

20 Fig. 2 is a flowchart showing operation of a common curve elliptic curve 

21 cryptosystem; 

22 Figs. 3A and 3B are flowcharts showing set-up and operation of a proposed 

23 user-selected curve elliptic curve cryptosystem; 
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1 Figs. 4A and 4B are flowcharts showing set-up and operation of a user- 

2 selected curve elliptic curve cryptosystem according to the present invention; 

3 Figs. 5A-5C comprise a flowchart showing, in detail, the flowchart of Fig. 

4 4B; 

5 Fig. 6 is a flowchart showing selection of a suitable elliptic curve, as 

6 required in step 130 of Fig. 5 A; 

7 Fig. 7 is a flowchart showing calculation of a modular polynomial x ¥ £ , as 

8 required in step 220 of Fig. 5 A; 

9 Fig. 8 is a flowchart showing generation of a polynomial Gk, as required in 

10 step 780 of Fig. 7; 

1 1 Fig. 9 is a flowchart showing how to obtain an eigenvalue e, as required in 

12 step 370 of Fig. 5B; 

13 Fig. 10 is a flowchart showing how to obtain polynomials Zs(X) 9 b s (X), c s (X) 

14 and d s (X); 

15 Fig. 1 1 is a flowchart showing how to obtain coefficients ai<; and 
16 

17 Fig. 12 is a flowchart showing how to obtain the coefficients (-l) ! Si. 

18 

1 9 DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

20 In the present invention, each user, typically represented by a respective 

21 handheld low memory device such as a smart card, selects its own elliptic curve and 

22 verifies that the elliptic curve is sufficiently secure. It is an important aspect of the 

23 present invention that each user's device is able to independently verify the 

24 sufficiency of security of its selected elliptic curve. 

25 It is an important aspect of the present invention that a central facility is not 

26 required during key creation but may be used during key certification. Users 
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1 wishing to communicate exchange cryptographic data, and then encrypt and decrypt 

2 as desired. Advantageously, cryptosystems according to the present invention are 

3 not vulnerable to an attack on a centrally selected elliptic curve and finite field, 

4 since such targets do not exist. Another advantage of cryptosystems according to 

5 the present invention is that a central facility cannot influence selection of 

6 cryptographic parameters, and therefore cannot disadvantage users, such as by 

7 selecting parameters with a "trapdoor" facilitating unauthorized retrieval of a user's 

8 secret key. 

9 Practically, an elliptic curve for an elliptic curve cryptosystem is sufficiently 

10 secure when the number of points in the group of the elliptic curve, also referred to 

11 as the "order" of the elliptic curve, is divisible by a prime number of at least a 

12 predetermined length. After counting the number of points in the group of the 

13 elliptic curve, it is straightforward to assess the security of the elliptic curve. When 

14 the order is divisible by a sufficiently large prime number, then the discrete 

1 5 logarithm (DL) problem faced by an unauthorized user of the cryptosystem presents 

16 sufficient computational difficulty that the security of the cryptosystem is adequate. 

17 An overview of polynomial time algorithms for determining the number of 

18 points on an elliptic curve is presented in Schoof, "Counting points on elliptic 

19 curves over finite fields", J. de Theorie de Nombres de Bordeaux, vol. 7, 219-254 

20 (1995). The instant technique for finding an appropriate elliptic curve is based on 

21 the Schoof-Elkies-Atkin algorithm. Examples of algorithms are provided in Elkies, 

22 "Elliptic and modular curves over finite fields and related computational issues", in 

23 Buell et al. (ed.) Computational Perspectives in Number Theory AMS, 21-76 

24 (1998). A practical implementation of the Schoof-Elkies-Atkin algorithm is 
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1 described in Morain, "Calcul du nombre de points sur une courbe elliptique dans un 

2 corps fini: aspects algorithmiques", J, de Theorie de Nombres de Bordeaux, vol. 7, 

3 255-282 (1995). Another implementation involving a match and sort method and 

4 isogeny cycles is described in Izu et al., "Efficient Implementation of Schoof s 

5 Algorithm" in Lecture Notes on Computer Science: ASIACRYPT 98 Conference, 

6 Beijing, Springer, 66-79 (1 998). 

7 The instant technique for determining the number of points on an elliptic 

8 curve is similar to that described in Morain' s 1995 paper. As discussed further 

9 below, a modular polynomial x i J e must be generated for each candidate auxiliary 

10 prime number L 

1 1 Fig. 3 A shows that, for Morain' s technique, in a set-up procedure performed 

12 ahead of actual operation, the modular polynomials x i f i for characteristic 0 are 

13 generated and stored in a TABLE. Fig. 3B shows that, for Morain' s technique, 

14 during usage, the modular polynomials x ¥ e are obtained via TABLE look-up, and 

15 then an appropriate elliptic curve is found. 

16 Fig. 4A shows that, for the instant technique, in a set-up procedure, the set of 

17 modular polynomials x V i for £ belonging to a set of small primes A s (discussed in 

1 8 detail below) is hard-coded in software, such as by placing the polynomials in a 

19 table. Fig. 4B shows that, for the instant technique, during usage, the modular 

20 polynomials x ¥ £ mod p for the £ in A s are obtained by retrieving the modular 

21 polynomials % from the table and by reducing the retrieved polynomials modulo p, 

22 whereas the x ¥ e mod p for £ not in A s are obtained dynamically, where p is a large 

23 prime number, after which an appropriate curve is found. 



WO 00/14924 



8 



PCT/US99/20411 



1 The performance of Morain's technique during usage will now be compared 

2 with the performance of the instant technique during usage. 

3 Using Morain's technique, even when a device is not performing 

4 cryptographic computing, it must keep the TABLE in memory, which consumes 

5 about 300 KB (kilobytes), for a particular security level. For the same security 

6 level, using the instant technique, when a device is not performing cryptographic 

7 computing, only executable software, including the modular polynomials *F £ 

8 corresponding to the small primes £ 9 is kept in memory and consumes about 40 KB. 

9 Using Morain's technique, when a device is performing cryptographic 

10 calculations, it requires about 300 KB for the TABLE and 40 KB for the executable 

1 1 cryptographic code, for a total requirement of 340 KB. Using the instant technique, 

12 when a device is performing cryptographic calculations, it requires about 100 KB 

13 for the dynamically calculated ^ and 40 KB for the executable cryptographic code, 

14 for a total requirement of about 140 KB. It is observed that since the x ¥ € are not 

15 calculated in characteristic 0 during the dynamic calculation of the instant 

16 technique, only the mod p are calculated, less memory is required than for 

17 Morain's technique, which calculates the V F ' t in characteristic 0. 

1 8 Thus, it can be seen that the present technique requires dramatically less 

19 memory in a device than Morain's technique. Reduced memory requirements make 

20 it practical to use a cheaper device, which in turn makes cryptographic protection 

21 according to the present technique available to a wider range of applications. 

22 Referring to Figs. 5A-5C, the instant technique for obtaining a suitable 

23 elliptic curve E will now be described. The steps depicted in Figs. 5A-5C are 
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1 assumed to be performed by a general purpose computer programmed in accordance 

2 with the instant technique, but may alternatively be performed by a specially 

3 designed circuit. 

4 Let E be an elliptic curve defined using predetermined integers a4, a6 as 

5 follows: 

6 E: y 2 = x 3 + a4X + a6 

7 When a large odd prime p does not divide (4a4 3 + 27 a6 2 ), the elliptic curve E can be 

8 reduced to an elliptic curve over the field F p . 

9 Let #E(F P ) be the number of points of E over F p , given as 

10 #E(F p )=p + 1 -t 

1 1 where t is an integer which satisfies 

12 -2p 05 <r<2p 05 

13 The instant technique finds t modulo several small auxiliary primes. When the 

14 product of the auxiliary primes exceeds 4 p° 5 , the Chinese Remainder Theorem is 

1 5 used to recover the exact value of t, and hence the exact value of #2?(F P ). 

16 At step 110 of Fig. 5 A, a prime number p having about 200 bits, hence a 

17 value around 2 200 , is chosen. At step 120, it is determined whether p = 3 mod 4; if 

1 8 not, then the procedure returns to step 110 and selects a different prime number p. 

1 9 The instant technique proceeds with a predetermined number of candidate 

20 curves, such as 70 candidates, in parallel. For a randomly chosen elliptic curve E 

21 over F p , the probability that #E(F P ) = x r for a positive integer x < 30 and a prime 

22 number r is about 3%, so approximately 70 curves must be evaluated to find a curve 

23 where the group order #E(F P ) has a large prime r which, in turn, ensures that the DL 

24 problem is sufficiently difficult. Let the predetermined number of curves be iMAx? 
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1 in this example iMAX = 70. At step 130, a suitable curve E\ is found for i = 1, ... , 

2 iMAX? and the following quantities dependent on Ej are also found: j(E{), as, b s , c s , 

3 and d s . 

4 Fig. 6 is a flowchart depicting a procedure for finding a suitable candidate 

5 elliptic curve E. 

6 At step 600, values for the coefficients a4 and are randomly selected in F p . 

7 At step 610, it is checked whether the prime number p divides (4 a4 3 + 27 

8 a$ 2 ). If so, then E is not an elliptic curve when reduced modulo p and the procedure 

9 returns to step 600 to select new coefficients. If not, the procedure continues to step 

10 620. 

1 1 At step 620, the y-invariant j(E) is found: 

12 j(E) = 6912 a4 3 / (4 a4 3 + 27 af) e F p 

13 At step 640, it is checked whether the /-invariant is 0 or 1728. If so, then the 

14 procedure returns to step 600 to select new coefficients. If not, the procedure 

15 continues to step 650. 

1 6 At step 650, a random point Q on E is selected, and at step 660, it is checked 

17 whether O+l)®Q = 0, that is, whether (p + 1) annihilates the point Q. If so, then 

18 E is probably supersingular and it is best to return to step 600 and select new 

1 9 coefficients. If not, then E is definitely not supersingular and the procedure 

20 continues to step 670. If (p + 1) ® Q = 0, then steps 650 and 660 may be repeated 

21 for another randomly chosen point Q, to decrease the likelihood of rejecting a curve 

22 that is not supersingular. 

23 At step 670, values are initialized for the Chinese Remainder count of the 

24 trace t. The modulus M for E with respect to known t is set to 1 . The value T such 
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1 that t m T mod M is set to 0. 

2 At step 690, expressions modulo p are found for the polynomials a^(X), 

3 b s (X), c s (X) and d s (X) for s < R as follows, where the upper bound R=l 1 is large 

4 enough for the set of candidate auxilary prime numbers £ used here. Fig. 10 is a 

5 detailed flowchart for the processing that occurs at step 690 of Fig. 6. 

6 At step 1010 of Fig. 10, the following terms are initialized: 

7 w(X) = X 3 +a 4 X+a 6 

8 fi(X) = 1 

9 f 2 (X) = 2 

10 fs(X) = 3 X 4 + 6 a 4 ^ + 12 a 6 X- 

11 f 4 (X) =4^ + 20 a 4 X + 80 a 6 J^ - 20 m 2 X 2 - 16 a 4 a fi X- 4 a/ - 32 
12 

13 At step 1020, polynomials are determined for s = 2 as follows: 

14 a 2 (X)^4Xw(X)-f 3 (X) 

15 b 2 (X) = 4w(X) 

16 c 2 (X)=f 4 (X)/4 

17 d 2 (X) = &w(X) 2 

18 At step 1030, a counter n is set to a value of 5. 

19 At step 1040, it is checked whether n is even. 

20 If the result of the check at step 1040 is that n is even, then at step 1050, m is 

21 set to n/2. At step 1060, the expression^ is set to^ (f m +2fm-\ 2 -fm-ifm+i 2 ) 1 2 ? and 

22 processing proceeds to step 1110. 
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1 If the result of the check at step 1040 is that n is odd, then at step 1070, m is 

2 set to 

3 (n - l)/2. At step 1080, it is checked whether m is even. If m is even, then at step 

4 1090, f is set to w 2 f m+2 f m 3 -f m -\f m + 3 > anc * processing proceeds to step 1110. If 

5 mis odd, then at step 1100, ^ is set tof m + 2 fn? - w 2 / m _ x f m + x 3 > and processing 

6 proceeds to step 1110. 

7 At step 1110, the counter n is incremented. At step 1 120, it is checked 

8 whether n = R + 3. If not, then processing returns to step 1040. 

9 If the result of the check at step 1 120 is positive, then at step 1 130, s is set to 

10 3. 

11 At step 1 140, it will be appreciated that s is odd and in the range 2 < s < R. 

12 Polynomials are evaluated as follows: 

13 a,(X) ~Xfs(X) 2 - w(X)U x (X)f s+x (X) 

14 b s (JQ-/sP0 2 

15 c s ^f s+2 (X)fM 2 -f s . 2 (X)f s+ i(X) 2 

16 d s (X) = 4f s (X) 3 

17 The polynomials a s (Z), b s (X), c s (X) and d s (X) are stored, for retrieval at step 920, 

1 8 discussed below. 

1 9 At step 1 1 50 r s is incremented by 2, that is, to be the next odd number. At 

20 step 1 1 60, it is checked whether s > R. If so, then processing terminates. If not, 

2 1 then processing returns to step 1 1 40. 

22 Returning to Fig. 6, at step 695, the procedure is completed and a suitable E 

23 has been found. It will be appreciated that the procedure of Fig. 6 is repeated to 

24 obtain each of the candidate curves E. 
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1 Returning to Fig. 5 A, at step 1 60, a temporary value g is initialized to "1 ". 

2 At step 1 70, the temporary value g is used as an index into the set A of 

3 auxiliary primes {A[l], A[2], A[36]}: 

4 A = {3,5, 7, 11, 13, 17, 19,23,29,31,41,47,59,71,53,61,79,83, 

5 89, 101,73, 131, 103, 107, 109,97, 113, 151, 167, 127, 179, 139, 191, 149, 

6 137, 173} 

7 At this point, g = 1 , so the first of the auxiliary primes is obtained and used as the 

8 value for a candidate auxiliary prime i. After the first execution of step 170, 1 = 3. 

9 At step 200, the modular polynomial v F / for the auxiliary prime i currently 

10 being evaluated is obtained. If I is one of the first eight of the auxiliary primes, then 

11 % is obtained by look up in Table 1 . 
12 

13 

14 TABLE 1 

15 



auxiliary 
prime i 


modular polynomial y ¥ / (F, J) 


3 


F 4 + (-J + 792) F 3 + (-36 J + 221400) F 2 + (1916 J + 24690528) F 
+ (J 2 + 50976 J + 803894544) 


! 5 


F 6 + (-J + 780) F 5 + (-30 J + 21 8940) F 4 + (3 10 J + 25968800) F 3 
+ (13700 J + 1 177897200) F 2 + (38424 J + 22576632000) F 
+ (J 2 - 614000 J + 155720872000) 


7 


F 8 + (- J + 776) F 7 + (- 28 J + 217756) F 6 

+ (21 J + 26195512) F 5 + (6328J + 1276406726) F 4 

+ (39361 J + 31050881848) F 3 + (- 240492J + 404938789276) F 2 

+ (- 2176581 J + 2721214073864) F 

+ (J 2 - 171 1008J + 7427483226241) 
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auxiliary 
prime £ 


modular polynomial x ¥ / (F, J) 


11 


F 12 + ( - J + 684)F U + (55 J + 157410) F 10 

4- ( 11RRT+19S1 SSRff\ V 9 4- (\ 971 f%l -4- 1^1 fSX 91 ^ F 8 

+ ( - 69630J + 76077144) F 7 + (177408 J - 207606564) F 6 
+ (- 133056J- 34321320) F 5 + ( - 132066J + 418524975) F 4 
+ (187407J - 477130500) F 3 + ( - 40095J + 270641250) F 2 
+ ( - 24300J - 82012500) F + (J 2 + 6750J + 1 1390625) 


13 


F 14 + (- J + 772) F 13 + (- 26J + 216424) F 12 

+ (- 156J + 26333528) F 11 + (1508J + 1359640022) F 10 

+ (21658J + 39120460496) F 9 + (39624J + 716780223796) F 8 

+ (- 612742J + 8956723925032) F 7 

+ (- 3355976J + 79070093432161) F 6 

+ (454779J + 500196729175884) F 5 

-t- (A'\1A\ 4Q0T + 9760671 7^0RQ77RR"\ P 4 

+ (95939974J + 7142292018579744) F 3 
+ (- 41335164J + 15009662255513328) F 2 
+ (- 291 162600J + 18874201488396480) F 
+ (J 2 - 174668400J + 10755802087387200) 


17 


F 18 + (- J + 690) F 17 + (51J + 160191) F 15 

+ (- 1 105J + 12849212) F 15 + (13243J + 77940903) F 14 
+ (- 95659J - 24306702) F 13 + (424065J + 489756655) F 12 
+ (- 11 10355J + 856070496) F 1 1 + (1454945J + 247945272) F 10 
+ (- 73746J - 4127455840) F 9 + (- 2450210J + 10326614640) F 8 
+ (3131026J- 15993234432) F 7 + (- 1104830J+ 18158824448) F 6 
+ (- 1073992J - 15889021440^ F 5 + H392232J + 10788499200") F 4 
+ (- 557600J - 5622784000) F 3 + (- 2720J + 2 1 54240000) F 2 
+ (67200J - 537600000) F + (J 2 - 16000 J + 64000000) 
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auxiliary 
prime i 


modular polynomial *rV (F, J) 


19 


F 20 + (- J + 664) F 19 + (76J + 143260) F 18 

+ (- 2622J + 9204360) F 17 + (54454J - 1761 15066) F 16 

+ (- 761425J + 1108178952) F 1S + (7598556J - 1742337316) F 14 

+ (- 55989713J - 13420942600) F 13 

+ (310967414J + 7967345585) F 12 

+ (- 1317638334J- 133492721376) F n 

+ (4284347658J - 271425795648) F 10 

+ (- 10696404825J+ 1738318231 104) F 9 

+ (2041 3753 140J - 3257912161280) F 8 

+ (- 29485216120J + 528231178240) F 7 

+ (31694225470J + 10718241992704) F 6 

+ (- 24698209440J - 26958821326848) F 5 

-l- (\ IICWIQZIIfM -4- 1 All ATI 1 1 HA(\AA\ T7 4 

+ (-4738229120J - 31060143636480) F 3 
+ (973578240J + 16944463872000) F 2 
+ (- 91238400J - 5430382166016) F 
+ (J 2 + 1769472J + 782757789696) 


23 


F 24 + (- J + 720) F 23 + (23 J + 179952) F 22 
+ (- 161J + 17282016) F 21 + 441081 120F 20 
+ (3864J + 5678198784) F 19 + (- 5681 J + 45492865088) F 18 
+ (- 46644J + 252605710080) F 17 
+ (53084J + 1038071734272) F 16 
+ (393024J + 3294356631552) F 15 
+ (19136J + 8309302456320) F 14 
+ (- 1978368J + 16991995871232) F 13 
+ ( - 2689666J + 28563290271744) F 12 
+ (2882544J + 398391 10889472) F u 
+ (11625488J + 46370418130944) F 10 
+ (11002464J + 45154515419136) F 9 
+ (- 3833 824 J + 36762400456704) F 8 
+ (- 19783680J + 24919460020224) F 7 
+ (- 21906304J + 13946021740544) F 6 
+ (- 11787776J + 6353857806336) F 5 
+ C-1554432J - 2304837156864") F 4 
+ (22 13 888 J + 642483486720) F 3 
+ (1648640J + 129654325248) F 2 
+ (516096J + 16911433728) F 
+ (J 2 + 65536J + 1073741824) 



1 



2 If £ is one of the remaining auxiliary primes, i.e., not one of the first eight auxiliary 
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1 primes, then x ¥ / mod p is obtained by computation, as described in Fig. 7. 

2 At step 710, the value of a polynomial P / is obtained by look-up from Table 

3 2. Let v be the degree of that is, -1 times the smallest exponent occurring in J. 

4 The first column of Table 2 indicates the particular prime number £ under 

5 consideration. The second column of Table 2 indicates the number of coefficients 

6 in F p which must be stored in connection with the polynomial P e (J), which is given 

7 in the third column of Table 2. 

8 TABLE 2 



/ 


8£ v + £+3 


P< (J) 


29 


264 


J+ 11 


31 


282 


J+ 1 


41 


372 


J-5 


47 


426 


J + 9 


59 


534 


J + 24 


71 


642 


J -33 


53 


904 


J 2 - 3J + 26 


61 


1040 


J 2 - 23J - 1 


79 


1346 


J 2 + 14J - 1 


83 


1414 


J 2 + 7J - 2 


89 


1516 


J 2 + 26J- 17 


101 


1720 


J 2 + 27J- 13 


73 


1828 


J 3 + 32J 2 - 30 J + 1 


131 


2230 


J 2 -47 J -51 


103 


2578 


J 3 + 34 J 2 - 7 J - 2 


107 


2678 


J 3 + 16 J 2 -32 J + 11 


109 


2728 


J 3 -51 J 2 + 52 J 


97 


3204 


J 4 + 32 J 3 + 42 J 2 - 24 J - 2 


113 


3732 


J 4 - 37 J 3 + 24 J 2 - 3 J - 36 
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t 


%l v+ £+3 


(J) 


151 


3778 


J 3 + 34 J 2 - 7 J - 1 


167 


4178 


J 3 -60 J 2 + 3 J -14 


127 


4194 


j 4 . 54 j 3 . 41 j 2 . 32 J - 2 


179 


4478 


J 3 -83 J 2 +18J-62 


139 


4590 


J 4 - 56 J 3 - 18 J 2 + 40 J + 1 


191 


4778 


J 3 + 60 J 2 - 25 J + 56 


149 


4920 


J 4 + 5 J 3 - 61 J 2 + 48 J-57 


137 


5620 


J 5 - 20 J 4 - 23 J 3 + 53 J 2 + 65 J + 52 


173 


5712 


J 4 - 34 J 3 - 60 J 2 - 74 J - 22 



1 At step 720, the coefficients ak e F r are obtained. Fig. 1 1 is a flowchart for 

2 obtaining the coefficients a k . 

3 At step 1210 of Fig. 1 1, the truncated power series X is obtained by 

4 considering modulo £ the power series 

2£v-v 

5 P, {j(q)) V (q) V (q £ ) - X a k9* + 0(q (2v+1) ^) (mod $ 

k=-v 

6 and dropping all powers of q with an exponent of at least 2£v - v + 1 . 

7 At step 1220, k is set to -v. 

8 At step 1230, the coefficients a^ (which are not to be confused with the 

9 polynomials a s ) 

10 are obtained by multiplying the terms on the left hand side modulo t and reading off 

1 1 the resulting coefficients. The polynomial P, was obtained in step 710. The term 

12 j(q) is obtained from: 

13 j(q) = 1728E 4 (q )3/(E 4 fe)3 - E 6 (qr)2) 

14 - q A + 744 + 196884 9 + 21493760# 2 + ... 
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1 For any integer n, let the function cr k (w) denote the sum of the kth powers of the 

2 positive divisors of n. The (/-series used in the above equation are given as: 

3 E*(g) = 1 +240 £ a 3 (*)<f 

7T = l 

4 1 + 240 q + 2160 # 2 + 6720 # 3 + ... 

5 E 6 {q) = 1 - 504 J o 5 {n)q" 

6 = 1-504?- 166532 ? 2 - 122976 9 3 - ... 

7 The term 77 (q) is obtained from 

8 W (q) = f[ ^-^) 

«=1 

A; =-qo 

10 = 1 -q-q 2 + q 5 + ... 

1 1 Although the ^-series for E 4 (q ), E 6 (q),j(q) and // (^) do not depend on £, their 

12 coefficients increase quickly and are only needed modulo £ or modulo p. Therefore, 

13 it is advantageous to compute them each time they are needed, rather than storing 

14 them. In a variation, only l/fj (q) modulo p is computed and stored, since it is used 

1 5 for each auxiliary prime £. 

16 At step 1240, it is checked whether k = It v-v. If yes, then processing in 

17 Fig. 1 1 terminates. If not, then at step 1250, k is incremented and processing returns 

18 to step 1230. 

19 Returning to Fig. 7, at step 730, the coefficients bk (which are not to be 
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1 confused with the polynomials b s ) are obtained. For each k between -v and 2£v-v, 

2 the coefficient bk is the least absolute remainder of ak modulo £, that is, the integer 



3 
4 
5 

6 

7 
8 
9 

10 

11 

12 

13 

14 

15 
16 
17 
18 
19 
20 
21 
22 



with the smallest possible absolute value that reduces to ak modulo I. 
At step 740, the q-series for /is obtained: 



f(2£v-v) 

£ M* + o(^ 2v+1) ' +1 ) 



/( rj (q) r/(q £ y) modulo p 



a(n,k): 



At step 750, the q-expansions offf 2 , / / are obtained and used to define 
(f(q)) k =Y, 

n 

At step 760, the terms Sk(q), for 1 < k < / are obtained. For each 1 < k < /, let 

n 

At step 765, the terms Ck(q), for 1 < k < / are obtained. For each 1 < k < /, let 



k-1 



/k 



At step 770, the initial and final terms of C(q) are set: 
C,(<jr) = -f+c,(<7) 
C / + l (q) = -fc t (q) 
At step 775, the terms Ck(#) for each 2 < k < £ are obtained: 

Ck(?) = -fck.i(tf) + Ck(#). 
At step 780, the polynomials Gk for 1 < k < £ + 1 are obtained. For each 1 < 
k < £ + 1 , there is a polynomial Gk such that G^(j(q)) = Ck(q) mod p. Fig. 8 is a 
flowchart of a procedure for determining Gk. 
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1 At step 810 of Fig. 8, set z = Ck(tf). At step 820, set t = order (z), that is, 

2 t = - min{«: coef% w in z) * 0} 

3 At step 830, set R = 0 and b = t. The value R is used to accumulate Gr. The 

4 value b is decremented so as to accumulate Gk terms for each power of z. 

5 At step 840, set R = R + J b coeff(q' b in z). At step 850, set z - z - coeff (q" b 

6 mz)(j(q)?. 

7 At step 860, determine whether b = 0. If not, then there are additional 

8 powers of z to be evaluated, so at step 870, b is decremented and the procedure 

9 returns to step 840. 

10 If b = 0 then all powers of z have been evaluated, and the procedure returns 

1 1 with G k = R. 

12 Returning to Fig. 7, at step 790, the modular polynomial X F / mod p is 

1 3 generated based on the polynomials Gk. 

14 %(F, J)-F^ +1 + £ G|(J)F* +M 

15 Returning to Fig. 5 A, at step 210, a counter i is set to 1. The counter i is 

1 6 used to index the candidate elliptic curves under evaluation. Of course, other 

17 numbers of elliptic curves could be evaluated in parallel, or the elliptic curves could 

18 be evaluated serially, corresponding to iMAx = 1 • 

19 At step 220, the roots f in the field F p of the expression ^0(220, f) = 0 are 

20 obtained. These roots may be obtained using Berlekamp's second algorithm, as 

21 described at H. Cohen, A Course in Computational Algebraic Number Theory, 

22 Springer-Verlag, 1993, pages 123-132. Let the set of roots be {f l9 ... , / } where 

*" "max 

23 d max is the number of distinct roots f. 
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1 At step 240, for each of the roots fd , d = 1 to d max (where d max is from step 

2 220), find all roots j e F p of 4^(7 > fd) = 0. These roots may also be obtained 

3 using Berlekamp's second algorithm, as discussed above. 

4 At step 270, any entries equal to 0 or 1728 in the lists of roots j are deleted. 

5 Turning to Fig. 5B, at step 300, for the first of the pairs of roots (f, j ), 

6 values are obtained for the variables a 4 , a 6 and p\ via the following intermediate 

7 calculations: 

8 E 4 = -48a 4 

9 £ 6 = 864tf 6 



11 2 = 



E 4 W,/) 

f i yi(/,7) 



12 E < = ^-^ Q 2 

j-vnsr 



13 £ 6 = E 4 Q 



1 



14 



15 

16 h = 



( E 2 



- f %i(f, Jl + 2fV n (/, J)~ ~Y (JV 2 (/, j) + j 2 V 22 (/, j)) 

E, fE A 



17 ^-(fj) 



~ Es „-> E} 



V 



■/■^n(/J) + 2*/F I2 (/J^ 

E 4 J E 4 , 
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3E 4 2E 6 

2 pi-/ 

3 a 4 =-^ 4 £ 4 /48 

4 5 6 = ^ 6 £ 6 /864 

5 The values for all intermediate values may be discarded, that is, only the values for 

6 S 4 ,5 6 and pi are retained. 

7 At step 310, the kernel polynomial h(X) of degree d= (/- l)/2 is determined 

8 based on the values for a 4 , a 6 and pi obtained at step 300. Figure 12 is a flowchart 

9 for the processing that occurs at step 3 1 0 of Fig. 5B. 

10 At step 1310 of Fig. 12, the following values are set: 

11 po = d 

12 p 2 = ((l-10d)a 4 - a 4 )/30 

13 p 3 = ((l-28^a 6 -42 Pl a 4 -a 6 )/70 

14 Cj = 6p 2 + 2a 4 ^ 

15 c 2 = 10p 3 + 6a 4Pl + 4 a 6 d 

16 At step 1320, a small positive integer S is selected that determines the 

17 number of extra terms which will be carried, such as S = 3. 

18 At step 1330, for each 2<r<d-l+S, the term c r + \ is obtained as 

19 follows: 

3 S«=i c « c -« -(2r-l)(r-l)a 4 c r _, - (2r -2)(r ~2)a 6 c r _ 2 

20 c r 4- i = 

r 1 (r-l) (2r + 5) 
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1 At step 1340, for each 3 <n< d-\ + S, the term p w + x is obtained as 

2 follows: 

3 p n + i = - 1 - (c rt - (4w-2) a4 p„-i - {An -4) a6p„. 2 ) 

4« + 2 

4 These p w + j terms are power sums of the roots of h(X). 

5 At step 1350, s Q is set to be 1 . 

6 At step 1360, for 1 < i < d + S, the term sj is obtained as follows: 

7 ^ = ^2>1)*P*S,_ A 

1 j&l 

8 Returning to Fig. 5B ? at step 330, the procedure checks whether the result 

9 obtained at step 3 10 is valid. Specifically, a check is made as to whether 1 = s^+ 

10 2 = ... = s = 0 for the terms obtained at step 1360 of Fig. 12. 

1 1 If the result of the check at step 330 of Fig. 5B fails, that is, it is not the case 

12 that s^+ 1 = Sd+2 = ... = sj+ s - 0, then, at step 340, the procedure determines whether 

13 there are any untried root pairs (f, J). If so, then at step 350, the next of the pairs 

14 (f, J ) is selected, and the procedure returns to step 300. If all root pairs (f, j ) have 

1 5 been tried, then the elliptic curve E\ being evaluated is not acceptable, and the 

16 procedure moves to step 400. 

17 If the result of the check at step 330 is successful, that is, it is the case that s^ 

18 +i = =s^+2 =: ... ::= s^ + s = 0 ? then the procedure moves to step 360, and obtains the 

19 kernel polynomial h(JQ as follows: 

20 hCA0=E(-l)'*X rf -' 

21 At step 370, the eigenvalue e based on the kernel polynomial h(X) is 
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1 obtained. Fig, 9 is a flowchart illustrating a procedure for finding the eigenvalue e. 

2 At step 905, h(X) is factored modulo £ using Berlekamp's algorithm. 

3 At step 910, one of the factors of h(X) is henceforth used instead of h(X). In 

4 one embodiment, a factor of smallest degree is selected. In other embodiments, any 

5 factor of suitably small degree is selected. 

6 At step 915, the value of £ is used to obtain a value for s, by lookup in Table 

7 3. 

8 TABLE 3 



t 


s 


3, 5, 7, 11, 13, 19, 23, 29, 47, 59, 71, 53, 61, 79, 83, 101, 131 


2 


103, 107, 167, 179, 139, 191, 149, 173 


2 


17,31,89, 113, 127, 137 


3 


73, 97, 151 


5 


41 


7 


109 


11 



9 

10 At step 920, the polynomials as(X), b s (X), c s (X), d s (X) corresponding to the 

1 1 elliptic curve under consideration, as found in step 690, are retrieved. 

12 At step 925, the degree of h(X) is obtained. If the result is even, the next 

13 step is step 930. If the result is odd, the next step is step 960. 

14 At step 930, parameters are initialized as follows: 

15 Qi(X) = X p modh(X) 

16 Q 2 (X) = (^ 3 + a 4 X+a 6 ) (p - I)/2 modh(^) 

17 Pi(X) = Xmodh(X) 

18 P 2 (X) = 1 
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1 e = 1 

2 At step 935, a check is made as to whether (Pi(X), P2W) = (Qi(X), ± Q 2 (^0)- 

3 If the check at step 935 is negative, then at step 940, the parameters are 

4 simultaneously updated as follows, that is, the new Pi (A} and P2CY) are each based 

5 on the previous P 1 (X) : 

6 Pl( x> = "sWi*)) modh(X) 

b s (Pi{X)) 

1 

8 P2W = W-^l modh(*) 

9 

10 e = e s mod £ 
11 

12 Step 940 is repeated, at most (£ -l)/2 times, until the condition (Pi(X), ViQC)) 
13 

14 (Qi(JQ> ± Q2W) is true. When the condition is true, the desired eigenvalue e has 

15 been found. 

16 At step 945, a check is made as to whether P2(A) = Qi(X). If so, then at step 

17 950, the desired eigenvalue is e. Otherwise, at step 955, the desired eigenvalue is 

18 determined as -e. The desired eigenvalue is then used at step 380 of Fig. 5B. 

19 At step 960 of Fig. 9, parameters are initialized as follows: 

20 Qi(Z) = J^modhCA) 

21 Pi(A) = {Xmo&WX)) 

22 e = 1 

23 At step 965, a check is made as to whether ¥\{X) = Q\(X). 

24 If the check at step 965 is negative, then step 970, the parameters are 

25 updated as follows: 
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I Pl( x) = modh(A) 

6, (/>,<*)) 

2 

3 e = es mod ^ 

4 

5 Step 970 is repeated, at most ( t -l)/2 times, until the condition Pi(JQ = Qi(X) 

6 is true. When the condition is true, the desired eigenvalue e has been found. 

7 At step 975, the desired eigenvalue is e s(e) (xl£) e, where r is the resultant of 

8 h{X) and w(X) = (A 3 + + a6 ) and s(e) is the semi-order of e modulo £ 9 that is, 

9 the smallest positive n such that e n = ±1 (modulo £). A resultant is defined in 

10 Cohen, page 118, definition 3.3.2, and may be computed using Cohen, page 121, 

11 algorithm 3.3.7. 

12 Returning to Fig. 5B, at step 380, the value t = e + (p/e) modulo £ is 

13 obtained. An extended Euclidean algorithm procedure for finding t is given in 

14 Cohen, pages 12-19, particularly page 16, algorithm 1.3.6. 

15 At step 390, with x s= T\ mod M\ and x = t mod £, use the Chinese Remainder 

16 Theorem to find xsF mod £ Mj. The Chinese Remainder Theorem is described in 

17 Cohen, pages 19-21. 

1 8 The value F is chosen to have a minimum absolute value by subtracting £ M\ from 

19 the least non-negative remainder modulo £ M\ if the least non-negative remainder is 

20 larger than £M\/2. 

21 At step 395, values are reset as follows: Ti is set to be F, and Mi is set to be 

22 £ Mi. This completes evaluation of the current elliptic curve Ej. 

23 Turning to Fig. 5C, at step 400, it is checked whether there are any more 

24 elliptic curves to be evaluated. If so, then at step 410, the counter i is incremented, 
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1 thereby selecting the next elliptic curve, and the procedure returns to step 220. 

2 If, at step 400, it is determined that there are no more elliptic curves to 

3 evaluate, then at step 420 it is checked whether there are any more candidate 

4 auxiliary primes to be evaluated. If so, then at step 430, the counter g is 

5 incremented, thereby selecting the next candidate auxiliary prime, and the procedure 

6 returns to step 170. 

7 If, at step 420, it is determined that there are no more candidate auxiliary 

8 primes to evaluate, then at step 440, a counter i is initialized. Once again, the 

9 counter i is used to indicate which of the possible elliptic curves is being considered. 

10 At step 450, it is checked whether Mi > 4 p° 5 , that is, whether the bound for 

11 Mj has been reached. If not, then at step 460, it is checked whether i = imax, that is, 

12 whether there are any more elliptic curves. If there are, then at step 470, i is 

13 incremented and the procedure returns to step 450. If not, then all candidate elliptic 

14 curves for the originally chosen prime number p have failed to yield an acceptable 

1 5 elliptic curve, so the procedure returns to step 1 1 0 to pick a new prime number p. 

16 If, at step 450, it is determined that Mj > 4 p° 5 , then at step 480, the value g 

17 is set to p + 1 - Tj, and at step 490, the largest x < 32 such that x divides g is found. 

1 8 This largest x is referred to as the cofactor p. The value 32 is equal to 2 5 , with the 

19 value 5 being a second security parameter. 

20 There are two main security parameters in the instant procedure. The first 

21 security parameter is embodied in step 110, and is the length in bits of the prime 

22 number p. The second security parameter is embodied in step 490, and is the 

23 logarithm to the base 2 of the largest small factor, rounded up to the nearest power 

24 of two, which divides g. This second security parameter is referred to as the 
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1 maximum allowable length of the cofactor p. The difference between the two 

2 security parameters, in this case, 200 - 5 = 195, is a measure of the security of an 

3 elliptic curve chosen by the instant procedure, with a larger difference value 

4 indicating higher security. 

5 At step 500, it is determined whether g/x is prime, such as by using a 

6 probabilistic compositeness test wherein if g/x can be proved to be composite, then 

7 g/x is not prime, and if the proof of compositeness for g/x fails, then g/x is assumed 

8 to be prime. A probabilistic compositeness test is described in A.K. Lenstra and 

9 H.W. Lenstra, Jr., "Algorithms in Number Theory" in Handbook of Theoretical 

10 Computer Science, J. van Leeuwen ed., pages 675-677 and 706-715, Elsevier 

1 1 Science 1990, the disclosure of which is hereby incorporated by reference. If the 

12 quotient g/x is not prime, then the procedure moves to step 460 to check the next 

13 elliptic curve. 

14 If the quotient g/x is prime, then the procedures moves to step 505 to check 

15 if the present elliptic curve is insecure, that is, if g/x divides p k -l for a positive 

16 integer k that is "too small" so that a sub-exponential attack on F k would be faster 

p 

17 than a square-root attack on 2?(F P ), which corresponds to 

18 exp ((1.923 + o(l))(k log (p)) 1/3 (log (k log (p))) 2/3 )<p 1/2 

19 If it is determined at step 505 that the present elliptic curve is insecure, then 

20 the procedure moves to step 460 to check the next elliptic curve. 

21 If the present elliptic curve is determined to be secure at step 505, then an 

22 acceptable elliptic curve E, has been found, and the procedure is finished. 

23 In a modification, after step 500, if the quotient g/x is prime, rather than 

24 immediately terminating at step 510, the modified procedure collects the prime 
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1 quotients for all the elliptic curves being evaluated, then chooses the curve with the 

2 largest quotient g/x, because that curve will be the most secure. 

3 In another modification, instead of step 200 in Fig. 5 A, the *F/ can be found 

4 by table look-up, as is done by Morain (see page 264 Remarque), with the 

5 calculations in Fig. 7 done in characteristic 0, rather than modulo p, and at step 370 

6 as soon as 4p 1/2 /Mi is sufficiently small, g may be found using a baby step-giant step 

7 approach, described in Cohen at pages 235-238, or rho-like methods, described in 

8 Cohen at pages 4 1 9-422 

9 In another modification, the technique of calculating the modular 

1 0 polynomials x ¥ e mod p is combined with Morain' s method of the isogeny cycles to 

1 1 allow the calculation to be carried out using fewer auxiliary primes. 

12 An example of practicing the present technique will now be provided. 

13 At step 110 of Fig. 5 A, a prime is selected. For this example, a very short 

14 prime number, p = 9883, is chosen. It will be understood that, in practice, a much 

15 longer (larger) prime number is required for sufficient security. 

16 At step 120, it is determined that 9883 = (4)(2470) + 3, so that p =3 (mod 4) 

17 is true. 

18 At step 130, for this example, i max = 1 is chosen. In practice, a larger value 

19 would be used. To find an elliptic curve Ej, at step 600 of Fig. 6, the values a4 = 

20 123 and = 765 are chosen. At step 610, the expression 

4(123) 3 +27(765) 2 = 23244543 
9883 9883 

22 is evaluated and determined to not be an integer. At step 620, j(E) is obtained: 
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, 6912 (123) 3 = 476381952 
J 4 (123) 3 +27 (765) 2 860909 

2 

3 At step 640, neither of the conditions are true. At step 650, a value Q = (235, 2241) 

4 is selected; this is a point on E. At step 660, the following calculation is made: 

5 (9883 + 1)® (235, 2241) = (1057, 6231) *0 

6 At step 670, M=l, T=0 and t=0 mod 1. To perform step 690 of Fig. 6, processing 

7 moves to step 1010 of Fig. 10. 

8 At step 1010 of Fig. 10, the following terms are set: 

9 w(X)=X > + 123X+765 

10 UX)=l 

11 f 2 (X) = 2 

12 f 3 (X> = 3Jt 4 + 738X 2 + 9180a 6 X+4637 

1 3 U(X) = 4X 6 + 2460A 4 + 1 902^ + 3793JT 2 + 6579X+ 9399 

14 At step 1020, the following expressions are obtained: 

1 5 a 2 (X) = X* + 963 IX 2 + 3763X+ 5246 

1 6 b 2 (X) = 4X 3 + 492X+ 3060 

17 c 2 (X) = X 6 + 615X* + 5417* 3 + 3419X 2 + 9057X+ 9762 

18 d 2 (X) = SX 6 + 1968Y + 2357JT 3 + 2436X 2 + 3304X+ 7141 

19 Processing proceeds through steps 1030 and 1040. At step 1070, m = (5-l)/2 = 2 is 

20 obtained. Via step 1080, processing goes to step 1090 and generates the following 

21 expression: 

22 f 5 (X) = 5^ 2 + 7626X 10 + 4093^ + 2618X* + 145X 7 + 41 17^+ 2635X 5 

23 + 2327^ + 2640^ + 9386X 2 + 3207X + 6568 

24 At step 1 1 1 0, n is incremented to n = 6. At step 1 120, it is checked whether 
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1 6=10 + 3; since it is not, processing returns to step 1040, thence to step 1050 to set 

2 m = 6/2 = 3, and then to step 1060 to obtain: 

3 U(X) = 6X 16 + 7829^ 4 + 328X 13 + 5633X I2 + 2016Y 10 + 1819LX 9 

4 + 39 LX 8 + 877LY 7 + 1126LX* + 71 \SX 5 + 5246L* 4 + 4414^ 

5 + 8147JT 2 + 7098X+432 

6 At step 1 1 10, n is incremented to n = 7. Details of iterations until n is 

7 incremented to n = 1 3 are omitted for brevity. At step 1 1 30, s is set to s = 3 . At 

8 step 1 140, the following expressions are obtained: 

9 a 3 (X) = ^ + 8407X 7 + 5624.Y 6 + 9135X 5 + 4927^ + 7552^ 

10 + 3567Z 2 + 1736X+9178 

11 b 3 (X) = 9^ 8 + 4428^ 6 + 5665X 5 + 9135A 4 + 87^ 3 + 5235X 2 

12 + 3158X+6244 

13 c 3 (X) = 4X 12 + 941X 10 + 1156^ + 6573^ + 8607X 7 + 7575J^ 

14 + 9293X 5 + 8824^ + 443 V? + 7342X 2 + 6765JT + 

15 9442 

16 d 3 (X) = 108X 12 + 640^° + 3140^ + 5958^ + 3132X 7 + 

17 3565^ 

18 + 4774.Y 5 + 6714.Y 4 + 46 Lt 3 + 3319X 2 + 2006AT+ 

19 4718. 

20 At step 1 150, s is incremented by 2 to s = 5. Details of iterations until s is 

21 incremented to s = 1 1 are omitted for brevity. At step 1 170, processing returns to 

22 step 695 of Fig. 6. 

23 At step 695 of Fig. 6, processing returns to step 160 of Fig. 5 A. 

24 At step 160 of Fig. 5 A, g is set to g = 1 . At step 170, 1 is set to t = 3. At 
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1 step 200, the modular polynomial ¥3 is obtained from Table 1 . At step 210, i is set 

2 to i = 1 . At step 220, the roots of the following expression are found: 

3 0 = F 4 + 9420F 3 + 8209F 2 + 5805F + 7290. 

4 Specifically, there is only one root in F9883 = F p , f = 370. At step 240, the roots of 

5 the following expresion are found: 

6 0= J 2 + 9380 J +5008. 

7 Specifically, the roots of J e F 988 3 are 1255 and 9131. At step 270, neither of the 

8 roots of J are deleted. At step 300 of Fig. 5B, the pair (f, J ) = (370, 9131) is 

9 selected. To calculate a 4 , a 6 and pi, processing as described above with regard to 

10 Fig. 5B, step 300, is executed, to obtain: 

11 E 4 = 3979 

12 E 6 = 8682 

13 f - 446 

14 Q = 8595 

15 £ 4 =5314 

16 £ 6 =4487 

17 ti =8019 

18 t 2 =1442 

19 t 3 =2879 

20 t 4 =1657 

21 p, = 1563 

22 a 4 = 2151 

23 a 6 =1624 
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1 To execute step 310 of Fig. 5B, processing proceeds to step 1310 of Fig. 12. 

2 At step 1310 of Fig. 12, the following values are set: 

3 po= 1 

4 p 2 =1868 

5 p 3 = 4199 

6 ci = 1571 

7 c 2 = 2701 

8 At step 1320, S is set to S = 3. At step 1330, the following are set: 

9 c 3 =3867 

10 c 4 = 6078 

1 1 At step 1340, the value p 4 = 725 is set. At step 1350, s 0 = 1. At step 1360, the 

12 following are obtained: 

13 s, = 1563 

14 s 2 = 0 

15 s 3 = 0 

16 s 4 = 0 

17 Processing returns to step 330 of Fig. 5B. 

18 At step 330 of Fig. 5B, since s 2 = S3 = s 4 = 0, processing proceeds to step 

19 360. At step 360, the kernel polynomial is found to be: 

20 h(X)=X+8320 

21 To find the eigenvalue e at step 370, processing proceeds to step 905 of Fig. 9. 

22 At step 905, it is determined that the polynomial h(JT) is irreducible, that is, it 

23 lacks polynomial factors of smaller degree other than constant multiples of itself and 

24 1 . After step 910, h(X) =X+ 8320 is obtained. At step 91 5, by table look-up, s = 2 
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1 is obtained. At step 920, the values for a 2 , b 2 , c 2 and d 2 from step 1020 are recalled. 

2 At step 925, the degree of h(X) is found to be "1", so at step 960, the following 

3 values are set: 

4 Qi (X) =1563 

5 Pi(X)=1563 

6 e = 1 

7 At step 965, Pi(X) = Qi (X) is true, so at step 975, e = 1 is obtained and processing 

8 returns to step 380 of Fig. 5B. 

9 At step 380 of Fig. 5B, t is calculated as t = 2. At step 390, F = -1 . At step 

10 395,Tj = -l andMj =3. 

1 1 Continuing to step 400 of Fig. 5C, since i = i max is true, at step 420, g has a 

12 value of 2, so the check finds that 2 ^ 36 and the result is negative. It is noted that, 

13 in a practical example, i max = 70 is realistic, and so processing would iterate through 

14 step 410 i max - 1 = 69 times before proceeding to step 420. This is not shown for 

1 5 brevity. Similarly, after the negative result at step 420, processing iterates through 

16 step 430 for £ = 5, 7, 11, 13, 17, 19 and 23, in similar manner as described above. 

17 Step 380 is executed for £ = 13 and £ - 23. On the next iteration through step 430, 

18 processing proceeds to step 170 of Fig. 5 A and £ is set to £ = 29. To execute step 

19 200, processing proceeds to step 710 of Fig. 7. 

20 At step 710 of Fig. 7, the polynomial P 2 9 (J) = J+ 11 is obtained by table 

21 look-up, and the degree v has a value of 1 . To execute step 720, processing 

22 proceeds to step 1210 of Fig. 11. 

23 At step 1210 of Fig. 11, the truncated power series X is obtained as: 

24 A = q+q + q-q-2q-2q +q - 2 q 4-q - 2 q +2q 
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i , 29 , 0 30 0 31 , n 34 , 0 40 , 41 0 42 , ~ 48 55 

1 +q +2q -2q +2q +2q + q -2q +2q -q 

2 At step 1220, k is set to k = -1 . At step 1230, a_i is set to the coefficient of q" 

3 1 in the truncated power series X, that is a_i = 1 . At step 1240, it is checked whether 

4 (-1) = (2) (29) (1) -1; since (-1) * 57, processing proceeds to step 1250 to increment 

5 k to k — 0 and return to step 1230. Processing iterates as described above until all 

6 the coefficients aj are determined as follows, all &\ = 0 for i = -1 to 57, except: 

7 a_i = 1, ai = 1, a 5 = 1, ae = -1, a 7 = -2, a w =-2, a n = 1, a i5 = -2, 

8 ai9 = 1 , a 2 2 = -2, a 2 8 = 2, a 2 9 = 1 , a 30 = 2, a 3 i = -2, a 3 4 = 2, a4o = 2, 

9 a4i = 1, a42 = -2, a4g = 2, a 55 = -1 

10 When k = 57, the test at step 1240 is positive, so processing returns to step 730 of 

11 Fig. 7. 

12 At step 730 of Fig. 7, the coefficients bk are obtained as follows, all bk = 0 

13 for k = - 1 to 57 except: 

14 b-i = 1, bi = 1, b 5 = 1, b 6 = -1, by = -2, bio = -2, bn = 1, bis - -2, 

1 5 bi9 = 1 , b22 = -2, b28 = 2, b29 = 1 , b 3 o = 2, b 3 i = -2, b 3 4 = 2, b4o = 2, 

16 b4i = 1, b42 = -2, b48 = 2, bss = -1 

17 At step 740, the q-series for f is obtained as: 

18 f(q) = q 1 + 1 + 3q + 4q 2 + 7q 3 4- 10q 4 + 17q 5 + 22q 6 + 32q 7 + 44q 8 + 

19 62q 9 

20 + 80q 10 + 1 12q 11 + 144q 12 + 193q 13 + 248q u + 323q 15 + 410q 1( 

21 + 530q 17 + 664q 18 + 845q 19 + 1054q 20 + 1324q 21 + 1634q 22 

22 +2037q 23 + 2498q 24 + 3082q 25 + 3760q 26 + 4601q 27 + 5580q 28 

23 + 6789q 29 + 8186q 30 + 8q 31 + 1993q 32 + 4388q 33 + 7169q 34 + 

24 627q 35 
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1 + 4494q 36 + 91 10q 37 + 4575q 38 + 1025q 39 + 8356q 40 + 7125q 41 

2 + 7218q 42 + 9059q 43 + 2813q 44 + 8730q 45 + 7152q 46 + 8581q 47 

3 + 3277q 48 + 1 895q 49 + 4675q 50 + 2655q 51 + 6093q 52 + 6263q 53 

4 + 3636q 54 + 9551q 55 + 4936q 56 + 141 lq 57 

5 At step 750, the power series expansions of f 2 , f 3 , . . ., f 29 are obtained using the q- 

6 series expression for f, above. At step 760, the terms Sk (q) are obtained, for 

7 example, Si6 (q) = 8565 + 457q. At step 765, the terms c k (q) are obtained, for 

8 example, cu (q) = 5327 + 89q. At step 770, the following terms are set: 

9 C! (q) = 9882q"' + 9853 + 776q 

1 0 C 30 (q) = q" 2 + 8238q- ! + 538 1 

1 1 At step 775, the terms C k (q) are obtained, for example, C 2 (q) = 29 q" 1 + 9452. To 

12 execute step 780, processing proceeds to step 810 of Fig. 8. 

1 3 For brevity, instead of discussing how to obtain all polynomials Gt, only the 

14 polynomial G3 will be discussed. At step 810 of Fig. 8, z is set to z = C3 (q) = 9564 

15 q" 1 + 8420. At step 820, t is set to t = 1 . At step 830, R = 0, b = 1 . At step 840, R = 

1 6 9564J. At step 850, z = 8564. At step 860, since b *■ 0, processing proceeds to step 

1 7 870 where b is decremented to b = 0, and then returns to step 840. In the second 

1 8 iteration of step 840, R = 9564J + 8564. At step 850, z = 0. At step 860, b = 0, so at 

19 step 880, G3 is set to G 3 = 9564J + 8564, and processing returns to step 790 of Fig. 

20 7. 

21 At step 790 of Fig. 7, the modular polynomial ^29 is computed as: 

22 ¥29(F,J) = F 30 + (9882J + 714) F 29 + (29J + 7642) F 28 + (9564J + 

23 8564) F 27 

24 + (1421 J + 9576) F 26 + (580J + 2026) F 25 + (2969J + 729) 
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1 F 24 

2 + (4264J + 8756) F 23 + (1622 J + 6533) F 22 + (23 1 J + 

3 3005)F 21 

4 + (6003J + 4219) F 20 + (7847J + 4570) F 19 + (4556J + 

5 8942) F 18 

6 + (561 3 J + 8192) F 17 + (2349J + 1640) F 16 + (4436J + 

7 2545) F 1S 

8 + (2625J + 8972) F 14 + (4697J + 861) F 13 + (6155J + 7530) 

9 F 12 

10 + (4605J + 2858) F 11 + (2082J + 4883) F 10 + (1815J + 

11 1968) F 9 

12 + (6079J + 2675) F 8 + (118J + 4907) F 7 + (4424J + 9155) 

13 F 6 

14 + (1028J + 3410) F 5 + (4890J + 730) F 4 + (3190J + 9362) 

15 F 3 

16 + (4727J + 5869) F 2 + (2267J + 1683) F + (J 2 + 6750J + 

17 5409) 

1 8 and processing returns to step 2 1 0 of Fig. 5 A. 

19 At step 210 of Fig. 5 A, i is set to i = 1. The next several iterations are 

20 omitted for brevity. For i e Ai, processing proceeds through step 380, that is the 

21 auxiliary prime I provided information, for i being one of 41, 47, 59, 71, 61, 79, 89, 

22 73, 131, 109, 97, 151, 167, 139 and 137. Discussion of this example resumes with 

23 step 440 of Fig. 5C. 

24 At step 440 of Fig. 5C, i is set to i = 1 . At step 450, the value Mi 
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1 Mi - 150783085059766145035730230806789 

2 is compared with 4(9883)° 5 = 397.65. Since Mj is larger, processing proceeds to 

3 step 480, at which g is set to g = 9883 + 1 - 62 = 9822. At step 490, x is found to be 

4 x = 6. At step 500, the expression 9822/6 = 1637 is determined to be a prime 

5 number. At step 505, it is checked whether 1637 divides (9883) k -1 . Since the 

6 result is negative, at step 510, Ej is determined to be an acceptable elliptic curve. 

7 An example of using an elliptic curve obtained according to the present 

8 technique for encryption and decryption will now be discussed. 

9 Let P be a point of prime order q on the curve E{a, b} over the finite field Fp 

10 of p elements. Let m be a secret positive integer less than q, m < q, and let G be the 

1 1 point m ® P on E{a, b}, where <8> denotes scalar multiplication on the curve. The 

12 public key consists of (Fp, E{a, b}, P, q, G) and the private key consists of the 

13 integer m. 

14 Encryption and decryption using this public/private key pair may be done as 

1 5 follows. Let M be the message to be encrypted; it is assumed that M is a positive 

1 6 integer smaller than p, the cardinality of F p , M < p. To encrypt M, choose a random 

17 positive integer k less than q and compute the points k ® P and k®Gon the curve 

18 E{a, b}. Let k ® G = (x, y). The encryption of M is (k ® P, (x * M) mod p). 

19 To decrypt an encrypted message consisting of the pair (R, S) encrypted 

20 according to the encryption method described above where R is a point on the curve 

21 and S is a positive integer smaller than p, S < p, the owner of the private key m 

22 computes m ®Ron the curve E{a, b} using the private key m. Let m ® R == (U, 

23 V). The decrypted message is (S/U) mod p. 

24 For the example, with p = 9883, let P = (8508, 3003) be a point of order q = 
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1 1637 on the curve E{ 123, 765} : Y 2 = X 3 + 123 X + 765 over F 9883 = F p . Let m = 

2 1234 be the private key. It follows that m ® P = 1234 ® (8508, 3003) = (4131, 

3 9630) = G, the public point on the curve corresponding to m. 

4 Let M = 1 122 be the message to be encrypted. Randomly choose k = 635 

5 and compute 

6 k ® P = 635 ® (8508, 3003) - (4071, 578), and k ® G = 635 ® (4131, 9630) - 

7 (5104,8488). The encryption of M = 1 122 is ((4071, 578), (5104 * 1122)mod 

8 9883) = ((4071, 578), 4431). 

9 To decrypt the message (R, S) with R = (4071 , 578) and S = 443 1 , compute 

10 m <g> R - 1234 ® (4071, 578) = (5104, 8488) = (U, V) with U = 5104. The 

1 1 decrypted message is (S/U) mod p = (4431/5104) mod 9883 = 1 122. Note that the 

12 resulting decryption is the same as the message M that was encrypted. 

13 An example of using an elliptic curve obtained according to the present 

14 technique for generation and verification of digital signatures will now be discussed. 

1 5 Let P be a point of prime order q on the curve E{a, b} over the finite field F p 

16 of p elements. Let m be a secret positive integer less than q, m < q, and let G be the 

17 point m ® P on E{a, b}, where ® denotes scalar multiplication on the curve. The 

1 8 public key consists of 

19 (F p , E{a, b}, P, q, G) and the private key consists of the integer m. 

20 Generation of a digital signature may be done as follows. Let d be the value 

21 of a cryptographically secure hash function applied to the message to be signed. 

22 Choose the hash function to assure 0<d<q. Pick a random positive integer £, k < 

23 q. Calculate k ® P = (x, y). Calculate r = (x + d) mod q and s = (k- mr) mod q. 

24 The digital signature for the message of hash value d is the pair (r, s). 
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1 Verification of a digital signature (r, s) for a message of hash value d is as 

2 follows. 

3 Calculate s® P + r ® G = (x\ y 9 ). If the integers d and r - x' yield the same 

4 residue when divided by q, the signature is deemed valid. Otherwise, the signature 

5 is rejected. 

6 For the example, with p = 9883, let P = (8508, 3003) be a point of order q = 

7 1637 on the curve E{123, 765}: Y 2 = X 3 + 123 X + 765 over F 98 83 = F p . Let m = 

8 1234 be the private key. It follows that m ® P - 1234 <g> (8508, 3003) = (4131, 

9 9630) = G, the public point on the curve corresponding to m. 

10 Let the hash value to be signed by d = 876 and let the randomly chosen 

11 integerbe£ = 101. Then£®P- 101 ® (8508, 3003) = (7060, 9514), therefore x = 

12 7060 and r = (7060 + 876) mod 1637 = 1388. Furthermore, s = (101 - 1234 * 1388) 

13 mod 1637 = 1248. Therefore, the signature is (1388, 1248). 

14 To verify the signature (r, s) = (1388, 1248) for the message with hash value 

1 5 d, calculate s®P + r®G== (7060, 95 1 4), so that = 7060. The integers d = 876 

16 and r - x' = -5672 yield the same residue modulo q = 1637, namely, the residue 876. 

17 Therefore, the signature is accepted as valid. 

18 Although an illustrative embodiment of the present invention, and various 

19 modifications thereof, have been described in detail herein with reference to the 

20 accompanying drawings, it is to be understood that the invention is not limited to 

21 this precise embodiment and the described modifications, and that various changes 

22 and further modifications may be effected therein by one skilled in the art without 

23 departing from the scope or spirit of the invention as defined in the appended 

24 claims. 
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What is claimed is: 

1 . A method of selecting an elliptic curve for a cryptosystem, 
comprising the steps of: 

selecting a prime number p defining a field F p? 

selecting a set of candidate elliptic curves E\ over the field F p , 

finding a set of modular polynomials x ¥ ( modulo p for a list of candidate 

auxiliary primes i by a calculation in characteristic p using a stored polynomial , 
finding the roots modulo p of the modular polynomials 
generating kernel polynomials h(X) based on the roots of the modular 

polynomials 

finding an eigenvalue e for one of the kernel polynomials h(X) 9 
obtaining a value t based on the eigenvalue e and the prime number p, 
obtaining the number of points of one of the candidate elliptic curves E\ over 

F p using the value t to make a determination whether the candidate elliptic curve is 

sufficiently secure, and 

selecting the candidate elliptic curve for the cryptosystem when the 

determination is that the candidate elliptic curve is sufficiently secure. 

2. The method of claim 1, wherein the step of finding is performed 
without table look-up of the modular polynomials y ¥ t . 
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3. The method of claim 1, wherein, when the determination is that the 
candidate elliptic curve is insufficiently secure, the step of comparing is repeated for 
another of the candidate elliptic curves E\. 

4. The method of claim 1, wherein the list of auxiliary primes is A = {3, 
5, 7, 11, 13, 17, 19, 23,29,31,41,47, 59,71,53,61,79, 83, 89, 101,73, 131, 103, 
107, 109, 97, 113, 151, 167, 127, 179, 139, 191, 149, 137, 173}. 

5 . The method of claim 1 , wherein the prime number p has about 200 

bits. 

6. The method of claim 1 , wherein the number of points of the selected 
elliptic curve is a product of a second prime number and a cofactor, the cofactor 
having up to 5 bits. 

7. A method of encrypting a message M, comprising the steps of: 
selecting an elliptic curve E according to the method of claim 1 ; 
selecting a point P of prime order q on the selected elliptic curve E 

over the field of F p ; 

selecting a secret positive integer m and a random positive integer k, 

m < q, k<q; 

obtain the points k ® P and k ® (m <S> P) = (x, y) on the curve E; and 
obtaining the point (k ® P, (x * M) mod p) as the encrypted message. 
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8. A method of obtaining a digital signature for a message M, 
comprising the steps of: 

selecting an elliptic curve E according to the method of claim 1 ; 
selecting a point P of prime order q on the selected elliptic curve E 
over the field of F p ; 

selecting a secret positive integer m and a random positive integer k, 
m < q, k < q; obtaining a cryptographically secure hash value d 
between 1 and q - 1 of the 

message M; 

calculating k ® P = (x, y); and 

obtaining the pair ((x + d) mod q,(h-m(x + d) mod q) as the digital 

signature. 

9. A portable device for encoding information using an elliptic curve 
cryptosystem, comprising: 

means for selecting an elliptic curve by finding the roots of modular 
polynomials x ¥ l modulo p for a list of candidate auxiliary primes £ and a prime 
number p by a calculation in characteristic p using a stored polynomial P e , and 

means for encoding the information using the selected elliptic curve. 

1 0. The device of claim 9, further comprising means for decoding 
received information using the selected elliptic curve. 
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11. A portable device for digitally signing information using an elliptic 
curve cryptosystem, comprising: 

means for selecting an elliptic curve by finding the roots of modular 
polynomials modulo p for a list of candidate auxiliary primes £ and a prime 
number p by a calculation in characteristic p using a stored polynomial , and 

means for digitally signing the information using the selected elliptic curve. 

12. The device of claim 1 1, further comprising means for verifying a 
received digital signature using the selected elliptic curve. 
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